POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2016-10-24 DOI:10.1145/2976749.2989040

Toshinori Usui, Tomonori Ikuse, Makoto Iwamura, T. Yada

{"title":"POSTER: Static ROP Chain Detection Based on Hidden Markov Model Considering ROP Chain Integrity","authors":"Toshinori Usui, Tomonori Ikuse, Makoto Iwamura, T. Yada","doi":"10.1145/2976749.2989040","DOIUrl":null,"url":null,"abstract":"Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of operating systems. It is currently used in malicious documents that exploit viewer applications and cause malware infection. For inspecting a large number of commonly handled documents, high-performance and flexible-detection methods are required. However, current solutions are either time-consuming or less precise. In this paper, we propose a novel method for statically detecting ROP chains in malicious documents. Our method generates a hidden Markov model (HMM) of ROP chains as well as one of benign documents by learning known malicious and benign documents and libraries used for ROP gadgets. Detection is performed by calculating the likelihood ratio between malicious and benign HMMs. In addition, we reduce the number of false positives by ROP chain integrity checking, which confirms whether ROP gadgets link properly if they are executed. Experimental results showed that our method can detect ROP-based malicious documents with no false negatives and few false positives at high throughput.","PeriodicalId":432261,"journal":{"name":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-10-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2976749.2989040","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

Abstract

Return-oriented programming (ROP) has been crucial for attackers to evade the security mechanisms of operating systems. It is currently used in malicious documents that exploit viewer applications and cause malware infection. For inspecting a large number of commonly handled documents, high-performance and flexible-detection methods are required. However, current solutions are either time-consuming or less precise. In this paper, we propose a novel method for statically detecting ROP chains in malicious documents. Our method generates a hidden Markov model (HMM) of ROP chains as well as one of benign documents by learning known malicious and benign documents and libraries used for ROP gadgets. Detection is performed by calculating the likelihood ratio between malicious and benign HMMs. In addition, we reduce the number of false positives by ROP chain integrity checking, which confirms whether ROP gadgets link properly if they are executed. Experimental results showed that our method can detect ROP-based malicious documents with no false negatives and few false positives at high throughput.

查看原文本刊更多论文

海报:考虑ROP链完整性的基于隐马尔可夫模型的静态ROP链检测

面向返回编程(ROP)是攻击者规避操作系统安全机制的重要手段。它目前用于利用查看器应用程序并导致恶意软件感染的恶意文档中。对于大量常用文档的检测，需要高性能、灵活的检测方法。然而，目前的解决方案要么耗时，要么不够精确。本文提出了一种静态检测恶意文档中ROP链的新方法。该方法通过学习已知的恶意文档和良性文档以及用于ROP小工具的库，生成了ROP链和良性文档的隐马尔可夫模型(HMM)。通过计算恶意hmm和良性hmm之间的似然比来执行检测。此外，我们通过ROP链完整性检查来减少误报的数量，ROP链完整性检查确认ROP设备是否正确连接，如果它们被执行。实验结果表明，该方法可以在高吞吐量下检测出基于rop的恶意文档，无假阴性，假阳性少。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量